[17491] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)

daemon@ATHENA.MIT.EDU (Dave Dittrich)
Sat Nov 4 12:42:21 2000

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.21.0011040116102.11477@shivax2.cac.washington.edu>
Message-ID:  <Pine.LNX.4.21.0011040116100.11477-100000@shivax2.cac.washington.edu>
Date:         Sat, 4 Nov 2000 01:30:27 -0800
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To:         Loki <loki@f8labs.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <PGEAJALLCLNHFIPHDCNOIEMMCDAA.loki@f8labs.com>

> This can also possibly be used to detect LKM trojanss and the like.
> It might give a false alarm though, as some kernel patches
> designed to hide other user's processes might give the same result.
> But together with the other tell-tale signs of ManTrap it gives a
> very good fingerprint.

It doesn't seem to work against TESO's Adore LKM, while Stephane
Aubert's "rkscan" (published on the INCIDENTS list on 25 Oct 2000)
currently does:

   $ id
   uid=500(notroot) gid=500(notroot) groups=500(notroot),236(office)
   $ ./mantrap -a
   ManTrap detection/testing program by wilson@f8labs.org - www.f8labs.org
   proc-vs-kill() test:
     Normal: No mismatches found.
   dotdot test:
     Normal: /proc/.. found in directory listing.
   cwdwalk test:
     Normal: getwd() succeeded after chdir to /proc/self/cwd.
   Finished.
   $ ./rkscan
   -=-      Rootkit Scanner      -=-
   -=- by Stephane.Aubert@hsc.fr -=-

     Scanning for ADORE version 0.14, 0.24 and 2.0b ...
     #ADORE rootkit is running with ELITE_CMD=31337 !

     Scanning for KNARK version 0.59 ...
     KNARK rootkit NOT DETECTED on this system.

   Done.

I haven't tried it yet against knark or other Linux LKMs... (nor do I
have mantrap to test rkscan against it.)

--
Dave Dittrich                           Computing & Communications
dittrich@cac.washington.edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17491] in bugtraq

Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)

daemon@ATHENA.MIT.EDU (Dave Dittrich)Sat Nov 4 12:42:21 2000

daemon@ATHENA.MIT.EDU (Dave Dittrich)
Sat Nov 4 12:42:21 2000